QID 980396
QID 980396: Java (maven) Security Update for org.opencastproject:opencast-kernel (GHSA-mh8g-hprg-8363)
Security update has been released for org.opencastproject:opencast-kernel to fix the vulnerability.
Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
The security configuration in `etc/security/mh_default_org.xml` enables a remember-me cookie based on a hash created from the [username, password, and an additional system key](https://docs.spring.io/spring-security/site/docs/3.0.x/reference/remember-me.html). Opencast has hard-coded this system key in the large XML file and never mentions to change this, basically ensuring that all systems use the same key:
```xml
<sec:remember-me key="opencast" user-service-ref="userDetailsService" />
```
This means that an attacker getting access to a remember-me token for one server can get access to all servers which allow log-in using the same credentials without ever needing the credentials. For example, a remember-me token obtained from develop.opencast.org can be used on stable.opencast.org without actually knowing the log-in credentials.
Such an attack will usually not work on different installations assuming that safe, unique passwords are used but it is basically guaranteed to work to get access to all machines of one cluster if a token from one machine is compromised.
We strongly recommend updating to the patched version. Still, as a workaround for older versions, in `etc/security/mh_default_org.xml`, set a custom key for each server:
```xml
<sec:remember-me key="CUSTOM_RANDOM_KEY" user-service-ref="userDetailsService" />
```
- GHSA-mh8g-hprg-8363 -
github.com/advisories/GHSA-mh8g-hprg-8363
CVEs related to QID 980396
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| GHSA-mh8g-hprg-8363 | org.opencastproject:opencast-kernel |
github.com/advisories/GHSA-mh8g-hprg-8363 |